On 5/29/18, Frank-Rainer Grahl wrote: > Seems to be a "feature" of Sophos to report possible ROP problems in any > software. Use latest compatible Noscript and uBlock and just add an > exception in Sophos.
If one wanted to check and see if maybe the possible ROP problem really was the result of executing a piece of malicious code from a web site, how would you go about it? I tried this: C:\Temp>type startSM-with-logging.bat @REM see https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/HTTP_logging @REM @rem set MOZ_LOG=timestamp,sync,rotate:200,nsHttp:5,cache2:5,nsSocketTransport:5,nsHostResolver:5 set MOZ_LOG=timestamp,sync,rotate:200,nsHttp:3 @rem nsHttp:3 log only http request and response headers set MOZ_LOG_FILE=%TEMP%\sm-log.txt "c:\Program Files (x86)\SeaMonkey\SeaMonkey.exe" which is 1) more verbose than I'd like and 2) not so easy to parse. Is there some other way to keep track of what all SeaMonkey gets off the web? Thanks Lee > Dirk Munk wrote: >> Dirk Munk wrote: >>> I have Sophos anti-virus (etc.) running on my PC, and a few days ago it >>> reported a ROP problem with Seamonkey and closed it down. >>> >>> After restarting Seamonkey everything was fine again. >>> >>> Sophos gave this trace of the problem: >>> >>> Mitigation ROP >>> >>> Platform 10.0.17134/x64 v614 06_3a >>> PID 18136 >>> Application C:\Program Files\SeaMonkey\seamonkey.exe >>> Description SeaMonkey 2.49.3 >>> >>> Callee Type LoadLibrary >>> >>> Stack Trace >>> # Address Module Location >>> -- ---------------- ------------------------ >>> ---------------------------------------- >>> 1 00007FFD8A0FBC4D KernelBase.dll >>> 2 00007FFD8D6927D7 ntdll.dll >>> 3 00007FFD8D67AC26 ntdll.dll __C_specific_handler +0x96 >>> 4 00007FFD8D68EDCD ntdll.dll __chkstk +0x11d >>> 5 00007FFD8D5F6C86 ntdll.dll >>> 6 00007FFD8D68DCFE ntdll.dll KiUserExceptionDispatcher +0x2e >>> >>> 7 00007FFD3CFAF0FD xul.dll >>> 80791000 CMP BYTE >>> [RCX+0x10], 0x0 >>> 7465 JZ 0x7ffd3cfaf168 >>> 83b91c2b000000 CMP DWORD >>> [RCX+0x2b1c], 0x0 >>> 7416 JZ 0x7ffd3cfaf122 >>> 498bc0 MOV RAX, R8 >>> 482500f0ffff AND RAX, >>> 0xfffffffffffff000 >>> 488b4008 MOV RAX, [RAX+0x8] >>> 83b87008000000 CMP DWORD >>> [RAX+0x870], >>> 0x0 >>> 7446 JZ 0x7ffd3cfaf168 >>> 4d85c0 TEST R8, R8 >>> 740c JZ 0x7ffd3cfaf133 >>> 4881cae8ff0f00 OR RDX, 0xfffe8 >>> 833a01 CMP DWORD [RDX], >>> 0x1 >>> 7435 JZ 0x7ffd3cfaf168 >>> 498bc0 MOV RAX, R8 >>> 4981e0a0c0ffff AND R8, >>> 0xffffffffffffc0a0 >>> >>> 8 00007FFD3A505F69 xul.dll >>> 9 00007FFD3A50611B xul.dll >>> 10 00007FFD3CFF9A07 xul.dll >>> >>> Process Trace >>> 1 C:\Program Files\SeaMonkey\seamonkey.exe [18136] >>> 2 C:\Windows\explorer.exe [11128] >>> 3 C:\Windows\System32\userinit.exe [10980] >>> 4 C:\Windows\System32\winlogon.exe [812] >>> winlogon.exe >>> >>> Thumbprint >>> 6b7c6ddb5008f8cfec2b72d6c65841972bb2c3f0f227ed14ea6b1187aec1429d >>> >>> >> This is a security problem. According to Sophos, Seamonkey is doing >> something >> it should not be doing, perhaps executing a piece of malicious code from a >> web >> site? >> >> I've seen the problem more often now, and I wonder if someone can have a >> look >> at it? > _______________________________________________ > support-seamonkey mailing list > support-seamonkey@lists.mozilla.org > https://lists.mozilla.org/listinfo/support-seamonkey > _______________________________________________ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
